java - How to use expression-based access control in spring? -
i new spring.i have created api user login.the user login method contains following codes:
authentication auth =new usernamepasswordauthenticationtoken(repo.findbyemail(user.getemail()), null, repo.findbyemail(user.getemail()).getauthorities()); securitycontextholder.getcontext().setauthentication(auth); principal principal= securitycontextholder.getcontext().getauthentication(); return (user) auth.getprincipal();
the login api gives me following json:
{ "userid": 1, "username": "ramesh khadka", "email": "test@gmail.com", "enabled": true, "role": "manager", "username": "ramesh khadka", "authorities": [ { "authority": "role_manager" } ], "accountnonexpired": true, "accountnonlocked": true, "credentialsnonexpired": true }
i have api users uses @preauthorize("hasauthority('role_manager')") check authorities granted.when call api following message shown:-
{ "error": "unauthorized", "error_description": "full authentication required access resource" }
i cannot figure out doing wrong.could me on this?
my authorizationserver is:-
@configuration @enableauthorizationserver public class securityserver extends authorizationserverconfigureradapter { @autowired @qualifier("userdetailsservice") private userdetailsservice userdetailsservice; @autowired private authenticationmanager authenticationmanager; @override public void configure(authorizationserversecurityconfigurer security) throws exception { security.checktokenaccess("isauthenticated()"); } @override public void configure(clientdetailsserviceconfigurer clients) throws exception { // super.configure(clients); clients.inmemory() .withclient("test") .accesstokenvalidityseconds(3600) .authorizedgranttypes("authorization_code","refresh_token","password","client_credentials") .secret("user") .scopes("read", "write", "trust") .redirecturis("/error") .resourceids("resource"); } @override public void configure(authorizationserverendpointsconfigurer endpoints) throws exception { endpoints.authenticationmanager(this.authenticationmanager); endpoints.userdetailsservice(userdetailsservice); } @bean public passwordencoder passwordencoder() { return new bcryptpasswordencoder(); } @bean public filterregistrationbean corsfilter() { urlbasedcorsconfigurationsource source = new urlbasedcorsconfigurationsource(); corsconfiguration config = new corsconfiguration(); config.setallowcredentials(true); config.addallowedorigin("*"); config.addallowedheader("*"); config.addallowedmethod("*"); source.registercorsconfiguration("/**", config); filterregistrationbean bean = new filterregistrationbean(new corsfilter(source)); bean.setorder(ordered.highest_precedence); return bean; }
}
as described in code have use '@preauthorize("hasauthority('role_manager')")'
hasauthority([authority]) --> returns true if current principal has specified authority.
please add '@preauthorize("hasrole('manager')") `
@preauthorize("hasrole('user')") public void create(contact contact);
either may use role looking , check hasanyrole([role1,role2]) --> returns true if current principal has of supplied roles (given comma-separated list of strings). default if supplied role not start 'role_' added. can customized modifying defaultroleprefix on defaultwebsecurityexpressionhandler.
for more may refer these links: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html https://dzone.com/refcardz/expression-based-authorization
Comments
Post a Comment